As COVID-19 cases have further spread over the past few weeks, our team has come across new lures that target an individual's fear of coronavirus as it relates to their health insurance coverage. Both examples lead to malicious sites that attempt to steal Microsoft Office 365 login credentials.
We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic.
COVID-19 Health Insurance Purchase Lure
This lure claims to be from the potential victim's health insurance provider indicating a recent purchase of COVID-19 coverage. In it, the scammer prompts the victim to click on the link to access their bill statement. This link redirects to:
hxxp://ambesagar.choicegroup[dot]co/cgi-bin/williamlrobertson.php?t=VHVlLCAxNyBNYXIgMjAyMCAwMDoxMjo0OCArMDMwMA==
Senders name and address are Covid Axu and abuse@createandgo[dot]com
COVID-19 Testing Coverage Lure
This second example uses a fake secure DocuSign notification, claiming to provide FAQs as they relate to your company's health insurance plan, and more importantly, whether or not testing for COVID-19 is covered.
Senders Address was revealed to be spoofed and the link in question lead to:
https://naturaposadaspa[dot]com.ve/covid19/924423a24b28423604ff3c1fb2999d11/?client_id=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dYt7-7eyyHeFUM0uYZsfoVtrmWR-ZHK4M_YfvCz6t_0xh5BbufcLwdcwJNuZNClJLaPdPIOOVJ9xw5703gnuqjnqxz4UaW5TQI0gduDMua4HmXHlHaRKE7IVziT-USqs5&nonce=636850646117429778.Y2Q5ZDIwM2ItMjY1YS00NDE1LWJlODEtNjUzNTIwMjEzY2YyODEwNThkYzgtMjVkOS00NTBkLTk0Y2QtOTgzMGRhZWZhYzFi&redirect_uri=https%3a%2f%2fwww.office[dot]com%2f&ui_locales=en-US&mkt=en-US&sso_reload=true
A few of reasons why both lures are so compelling is that many employees are experiencing uncertainty around their jobs, their benefits, and healthcare coverage. As the pandemic has grown, numerous stories have emerged describing individuals concerned that they might have the virus and proactively getting tested, only to walk away with a negative diagnosis and hefty bill. Insurance or not, employees and individuals everywhere are looking for clarity into how testing and potential diagnosis will affect their pocketbooks, making phishing lures such as the above all the more effective and dangerous.
Additional Resources: